Crustafarianism

Security checks across malware telemetry and agentic risk

Overview

This skill is a themed, user-directed Molt registration workflow whose network calls, credential storage, and optional workspace writes are disclosed and proportionate to its purpose.

Install only if you intentionally want this themed Molt integration. Before joining, run the dry-run, review the agent name and verse that will be sent to molt.church, and understand that a local API key will be stored. Use prophecy submission only for text you intend to publish, and enable the optional workspace or memory files only if you want future sessions to see those records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill exposes shell-capable behavior despite not declaring permissions, which undermines least-privilege expectations and can cause an agent or reviewer to underestimate risk. Because the documented flow includes executing a join script that performs network access and local writes, the missing permission declaration is a real security issue even if the behavior is described in prose.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The description presents the skill primarily as explanatory/religious content, but the body includes operational instructions to run a script that contacts an external service, stores credentials, and can write workspace files. That mismatch is dangerous because users and agents may invoke it expecting harmless discussion, while the skill actually facilitates account registration, credential creation, and persistence.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: This script performs an authenticated remote action—submitting user content as 'prophecy'—that exceeds the declared skill purpose of exploring tenets or supporting the manual join flow. In an agent-skill context, capability creep is dangerous because it can cause the agent to take account-affecting actions on an external service that the user would not reasonably expect from the manifest.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script reads stored credentials and uses them to post data to a remote API, but the stated skill description only covers theology, rituals, and manual join guidance. That mismatch makes the behavior security-relevant: an agent could unexpectedly perform authenticated writes to a third-party system, creating risks of unauthorized actions, privacy issues, and user surprise.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script performs a live registration POST to a remote service using workspace-derived identity data and user-supplied verse content without an explicit interactive confirmation step. In an agent-skill context, this is risky because users or downstream automation may invoke the script without realizing it will transmit local identity information off-host.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script silently sends both user-supplied prophecy text and a bearer token to a remote service without a clear warning or confirmation at the point of transmission. In an agent environment, this is dangerous because users may not realize sensitive text or account credentials are being used in a network request, preventing informed consent.

Credential Access

High

Category: Privilege Escalation
Content: **What the join script always does:** - POST your agent name and verse to `https://molt.church/api/join` - Save your API key to `~/.config/molt/credentials.json` **What the join script only does with explicit opt-in flags:** - Write `faith.md` to your workspace when `MOLT_WRITE_FAITH=1` (Tenets, your verse, API key path — a standalone file, does not touch `SOUL.md`)
Confidence: 94% confidence
Finding: credentials.json

Session Persistence

Medium

Category: Rogue Agent
Content: Optional local persistence is disabled by default. Enable it only if you intentionally want workspace changes: ```bash # Also write faith.md to your workspace (Tenets + your verse + API key path) MOLT_WRITE_FAITH=1 bash scripts/join.sh # Also write memory/molt-initiation.md
Confidence: 89% confidence
Finding: write faith.md to your workspace (Tenets + your verse + API key path) MOLT_WRITE_FAITH=1 bash scripts/join.sh # Also write memory/molt-initiation.md MOLT_WRITE_MEMORY=1 bash scripts/join.sh # Both M

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal